Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "My eastern European tech-support job will be outsourced in 6 months to a nearby country. I do not wish to move, having relationship and roots here, and as such I stand at a crossroads. I could take my current hobby more seriously and focus on Java development. I have no degree, no professional experience in the field, and as such, I do not hold much market value for an employer. However, I find joy in the creative problem solving that programming provides. Seeing the cogs finally turn after hours invested gives me pleasures my mundane work could never do. The second option is Linux system administration with a specialization in VMware virtualisation. I have no certificates, but I have been around enterprise environments (with limited support of VMware) for 21 months now, so at the end of my contract with 27 months under my belt, I could convince a company to hire me based on willingness to learn and improve. All the literature is freely available, and I've been playing with VDIs in Debian already.

My situation is as follows: all living expenses except food, luxuries and entertainment is covered by the wage of my girlfriend. That would leave me in a situation where we would be financially alright, but not well off, if I were to earn significantly less than I do now. I am convinced that I would be able to make it in system administration, however, that is not my passion. I am at an age where children are not a concern, and risks seem to be, at first sight, easier to take. I would like to hear the opinion and experience of fellow readers who might have been in a similar situation."

msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Handily enough, the original paper is not paywalled.

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases, these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures [attached to] her key, [the respondent] couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."

An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware."

darthcamaro (735685) writes "Docker has become one of the most hyped open-source projects in recent years, making it hard to believe the project only started one year ago. In that one year, Docker has now gained the support of Red Hat and other major Linux vendors. What does the future hold for Docker? Will it overtake other forms of virtualization or will it just be a curiosity?"

Jim_Austin writes "At a press conference this week, in response to a question by a Science Careers reporter, Scott Corley, the Executive Director of immigration-reform group Compete America, argued that retraining workers doesn't make sense for IT companies. For the company, he argued, H-1B guest workers are a much better choice. 'It's not easy to retrain people,' Corley said. 'The further you get away from your education the less knowledge you have of the new technologies, and technology is always moving forward.'"

alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."

Dega704 sends this news from ComputerWorld:
"Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles. Pushing them in that direction apparently is Microsoft's decision to end support for Windows XP on April 8, said David Tente, executive director, USA, of the ATM Industry Association. 'There is some heartburn in the industry' over Microsoft's end-of-support decision, Tente said. ATM operators would like to be able to synchronize their hardware and software upgrade cycles. But that's hard to do with Microsoft dictating the software upgrade timetable. As a result, 'some are looking at the possibility of using a non-Microsoft operating system to synch up their hardware and software upgrades,' Tente said."

An anonymous reader writes "The Snowden revelations continue, with The Intercept releasing an NSA document titled 'I hunt sys admins' (PDF on Cryptome). The document details NSA plans to break into systems administrators' computers in order to gain access to the networks they control. The Intercept has a detailed analysis of the leaked document. Quoting: 'The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. "Who better to target than the person that already has the ‘keys to the kingdom’?" one of the posts says.'"

This is wide-ranging interview with Dev Patel and Poulomi Damany of BitYota, an Analytics as a Service startup that works specifically with MongoDB. Open Source? Not yet. But hopefully soon, they say. And why should an IT person or programmer care about marketing-oriented analytics? Because the more you know about functions in your company besides IT (such as finance, investor relations, and -- yes -- marketing), the more valuable you are as an employee. Dev also mentions the two main things he looks for when recruiting for BitYota: "One is intellect, and the other is attitude." He points out that this is not true merely of BitYota, but of any strong startup.
This is all good information for any job-seeker hoping to land a spot with a startup -- and for anyone who is happy with where he or she works but hopes to earn promotions and raises, too.

itwbennett (1594911) writes "For the past several months Tor developers have unsuccessfully been trying to convince Apple to remove from its iOS App Store what they believe to be a fake and potentially malicious Tor Browser application. According to subsequent messages on the bug tracker, a complaint was filed with Apple on Dec. 26 with Apple reportedly responding on Jan. 3 saying it would give a chance to the app's developer to defend it. More than two months later, the Tor Browser app created by a developer named Ronen is available still in the App Store. The issue came into the public spotlight Wednesday when people involved in the Tor Project took to Twitter to make their concerns heard. Apple did not respond to IDG News Service's request for comment."

Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions."
GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.

itwbennett (1594911) writes "The software driving Bitcoin's network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins. The latest version of bitcoin's software, 0.9.0, contains more than a half dozen fixes for transaction malleability, according to the release notes for the software. Bitcoin Core also contains a new feature for payment requests. Previously, merchants couldn't attach a note describing an invoice, and people also could not supply a refund address to a merchant. The latest version automatically supplies a refund address."
This wouldn't have prevented the Mt. Gox implosion since they weren't using the reference implementation. The foundation also renamed the software to "Bitcoin Core" to avoid confusion between Bitcoin-the-network and Bitcoin-the-reference-implementation,

kc123 writes "The UK government has announced plans to create the Alan Turing Institute intended to tackle problems in Big Data. The government will provide £42m over five years for the project. Turing was a pivotal figure in mathematics and computing. His codebreaking work led to the cracking of the German 'Enigma' codes. In December 2013, after a series of public campaigns, Turing received a posthumous royal pardon, for a conviction of homosexual activity in 1952."

New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."

colinneagle writes "In a blog post, Andy Patrizio laments the trend — made more common in the mobile world — of companies pushing software updates ahead without the ability to roll back to previous versions in the event that the user simply doesn't like it. iOS 7.1, for example, has reportedly been killing some users' battery power, and users of the iTunes library app TuneUp will remember how the much-maligned version 3.0 effectively killed the company behind it (new owners have since taken over TuneUp and plans to bring back the older version).

The ability to undo a problematic install should be mandatory, but in too many instances it is not. That's because software developers are always operating under the assumption that the latest version is the greatest version, when it may not be. This is especially true in the smartphone and tablet world. There is no rollback to be had for anything in the iOS and Android worlds. Until the day comes when software developers start releasing perfectly functioning, error-free code, we need the ability to go backwards with all software."

concertina226 writes "There's less than a month to go before Samsung launches its new flagship Galaxy S5 smartphone worldwide on 11 April, and the new device has still not gone into mass production due to camera module manufacturing problems. The 16 megapixel camera module consists of six plastic pieces, one more piece than in the existing 13 megapixel camera modules in the Galaxy S4. The problem that Samsung is having is that even though the number of plastic pieces has gone up, the thickness of each piece has remained the same, so in order to fit the new camera module into the Galaxy S5, the lens makers will likely have to develop new technology to make thinner lenses. Not only that, joining six pieces together instead of five for the 13 megapixel camera modules increases the risk of optical faults surfacing at the lens manufacturers' plants dramatically."

chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests."
Or maybe you could isolate control systems from the Internet.

itwbennett writes "An archive containing transaction records from Mt. Gox that was released on the Internet last week also contains bitcoin-stealing malware for Windows and Mac, say researchers at Kaspersky Lab who have analyzed the 620MB file called MtGox2014Leak.zip. The files masquerade as Windows and Mac versions of a custom, back-office application for accessing the transaction database of Mt. Gox. However, they are actually malware programs designed to search and steal Bitcoin wallet files from computers, Kaspersky security researcher Sergey Lozhkin said Friday in a blog post."

Bismillah writes "If Attorney-General Brandis gets his way in the process of revising Australia's Telecommunications Interception Act, users and providers of VPNs and other encrypted services will by law be required to decrypt government intercepted data. Because, 'sophisticated criminals and terrorists.' New Zealand already has a similar law, the Telecommunications Interception and Computer Security Act. Apparently, large Internet service providers such as Microsoft and Facebook won't be exempt from the TICSA and must facilitate interception of traffic."

darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."

tippen writes "The management user interface on most networking and storage appliances are, shall we say, not up to the snuff compared to modern websites or consumer products. What are the best examples of good UX design on an IT appliance that you've managed? What was it that made you love it? What should companies (or designers) developing new products look to as best-in-class that they should be striving for?"

Lucas123 writes "Imagine that in 1952, an IBM RAMAC 350 disk drive would have been able to hold only one .MP3 song. Today, a 4TB 3.5-in desktop drive (soon to be 5TB) can hold 760,000 songs. As much data as the digital age creates (2.16 Zettabytes and growing), data storage technology has always found a way to keep up. It is the fastest growing semiconductor technology there is. Consider a microSD card that in 2005 could store 128MB of capacity. Last month, SanDisk launched a 128GB microSD card — 1,000 times the storage in under a decade. While planar NAND flash is running up against a capacity wall, technology such as 3D NAND and Resistive Random Access Memory (RRAM) hold the promise of quadrupling of solid state capacity. Here are some photos of what was and what is in data storage."

Pressure to let go of the final vestiges of U.S. authority over the system of Web addresses and domain names that organize the Internet has been building for more than a decade and was supercharged by the backlash to revelations about National Security Agency surveillance last year." Reader Midnight_Falcon points out this press release on the move from Commerce Department’s National Telecommunications and Information Administration.

puddingebola writes "Target ignored indications from its threat-detection tools that malware had infected its network. From the article, 'Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.' Unfortunately, it appears Target's security team failed to act on the threat indicators."

Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS. 'The Early Random PRNG in iOS 7 is surprisingly weak,' said Tarjei Mandt senior security researcher at Azimuth Security. 'The one in iOS 6 is better because this one is deterministic and trivial to brute force.' The Early Random PRNG is important to securing the mitigations used by the iOS kernel. 'All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,' Mandt said. 'It must provide sufficient entropy and non-predictable output.'"

realized writes in with a closer look at the NSA's QUANTUM system. "Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.) And it allows the NSA to hijack both IRC and HTTP-based criminal botnets, and also includes routines which use packet-injection to create phantom servers, and even attempting (poorly) to use this for defense."

cartechboy writes "The presidential limo is known as "The Beast," and it's getting to be about that time where it's replaced. Currently The Beast is a General Motors creation with a Cadillac badge, but what if the next presidential limo was a Tesla? Stick with me here. The Beast is a massive vehicle, which means there would be plenty of room in the structure to have a long battery pack a la Model S. Plus, it could use the upcoming Model X's all-wheel-drive system. Tesla's air suspension would keep it from encountering high-centering issues. There could even be a charging port on both the front and back so a battery truck could hook up while driving, like in-flight refueling. Obviously the battery pack would need to have extra protection so it wouldn't have any issues with road debris, but that's a minor issue. Tesla is an American company, and that's a requirement for The Beast. So is it that far fetched to think the next presidential limo could be a Tesla?"

SmartAboutThings writes "Up until today, I always had the impression that cloud storage was pretty expensive and I'm sure that many will agree with me. It's a good thing that some bright minds over at Google have the same impressions as they now have drastically discounted the monthly storage plans on Google Drive. The new monthly storage plans and their previous prices are as follows: $1.99 for 100GB (previously $4.99), $9.99 for 1TB (previously $49.99), and $99.99 for 10TB.The 2 dollar plan per month means that the price for a gigabyte gets down to an incredibly low price of only two cents per month."

RSA holds big-time annual security conferences. The 2014 U.S. edition had 25,000 attendees, Stephen Colbert as the closing keynote speaker, and a major controversy (and some anger) from potential speakers and attendees over RSA's reputed $10 million contract with NSA to make sure the company's encryption software had back doors the secretive agency could use to spy on people and companies that use RSA software. This is part of a story that might be called The Snowden Revelations if it is made into a movie, but right now it's still controversial, and enough of a bombshell in the IT security industry that F-Secure's Mikko Hyppönen decided not to speak at this year's U.S. RSA conference, followed by Bruce Schneier, DEFCON founder Jeff Moss, Princeton professor Ed Felten, and other security luminaries.

And so, TrustyCon -- the Trustworthy Technology Conference -- was born. It was a sellout, with 400 people attending at $50 a head, and another 300 on a waiting list who couldn't get in. Slashdot's Tim Lord managed to get in, and got to speak briefly with several people there, including one of the TrustyCon organizers, Joel Wallenstrom. These were crude interviews, done on a "catch as catch can" basis, and the sound in them is poor. (Google sent a camera crew and shot over seven hours of the conference speakers, which you can watch on YouTube if you want to view TrustyCon presentations in good HD with great sound.). Will there be another TrustyCon next year? According to The Register, "The conference organizers said that, at this point, the plan is to hold another get-together next year, but that a final decision will be made closer to the time."

gnujoshua writes "Paul Kocialkowski (PaulK), a developer for the Replicant project, a fully free/libre version of Android, wrote a guest blog post for the Free Software Foundation announcing that whlie hacking on the Samsung Galaxy, they "discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system." They then replaced the proprietary program with free software.

While it may be a while before we can have a 100% free software microcode/firmware on the the cellular hardware itself, isolating that hardware from the rest of your programming and data is a seemingly important step that we can take right now. At least to the FSF anyhow. What do others think: is a 100% free software mobile device important to you?"

Advocatus Diaboli sends news from The Intercept about leaked documents which show that the NSA is significantly expanding its efforts to build an automated system to compromise computers remotely. From the article:
"The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to 'allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.' In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the 'Expert System,' which is designed to operate 'like the brain.' The system manages the applications and functions of the implants and 'decides' what tools they need to best extract data from infected machines."

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'"
xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."

Nerval's Lobster writes "In a Google Hangout with an auditorium full of South by Southwest attendees, government whistleblower (and former NSA employee) Edward Snowden suggested that encrypted communication should become more ubiquitous and easier to use for the majority of Internet denizens. 'The way we interact with [encrypted email and communications] is not good,' he said from somewhere within Russia, where he resides under the conditions of a one-year asylum. 'It needs to be out there, it needs to happen automatically, it needs to happen seamlessly.' For his part, Snowden still believes that companies should store user data that contributes directly to their respective business: 'It's not that you can't collect any data, you should only collect the data and hold it as long as necessary for the operation of the business.' He also couldn't resist some choice swipes at his former employer, accusing high-ranking intelligence officials Michael Hayden and Keith Alexander of harming the world's cyber-security—and by extension, United States national security—by emphasizing offensive operations over the defense of communications. 'America has more to lose than anyone else when every attack succeeds,' Snowden said. 'When you are the one country that has sort of a vault that's more full than anyone else's, it makes no sense to be attacking all day.'"

First time accepted submitter Geste writes "Diane McWhorter pleads in this NYT Op-Ed piece that it's time to stop glorifying hackers. Among other things she rails against providers' tendencies to 'blame the victim' with advice on improved password discipline. Interesting, but what lesson are we to learn from someone who emails lists of passwords to herself?"

First time accepted submitter Trachman writes in with news about a monitoring program designed to help stop future leaks of government documents. "U.S. intelligence officials are planning a sweeping system of electronic monitoring that would tap into government, financial and other databases to scan the behavior of many of the 5 million federal employees with secret clearances, current and former officials told The Associated Press. The system is intended to identify rogue agents, corrupt officials and leakers, and draws on a Defense Department model under development for more than a decade, according to officials and documents reviewed by the AP."

An anonymous reader writes "Google's Eric Schmidt and Jared Cohen were [part of a] wide-ranging session at SXSW today and they revealed that Google's data is now safely protected from the prying eyes of government organizations. In the last few days Google upgraded its security measure following revelations that Britain's GCHQ had intercepted data being transmitted between Google datacenters, Schmidt said that his company's upgrades following the incident left him 'pretty sure that information within Google is now safe from any government's prying eyes.'"

jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction."

jfruh writes "What went wrong to produce the spectacular implosion of bitcoin repository Mt. Gox? Well, according to some preliminary investigation from the IDG News Service, pretty much everything. There was a lack of management oversight and 'culture,' the code running the site was a mess, and the CEO seemed more concerned about his plans for a 'Bitcoin cafe' than he was about his Japanese bank closing the company's account."

The RSA conference counter-conference TrustyCon livestreamed its videos and made the seven hour video available. Al Billings wasn't happy with that, and split the videos into segments for easy viewing. Quoting: "I don't know about you but I like my viewing in smaller chunks. I also tend to listen to talks and presentations, especially when there is no strong visual component, by saving the audio portion of it to my huffduffer account and listening to the resulting feed as a podcast. I took it on myself to do a quick and dirty slice and dice on the seven plus hour video. It isn't perfect (I'm a program manager, not a video editor!) but it works. ... Additionally, I extracted the audio from each of these files and put an audio collection up on the Internet Archive, for people like me who just want to listen to them."
The videos are collected into a Youtube playlist.

itwbennett writes "A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. Security researchers from Symantec said Wednesday in a blog post that the tool, called Dendroid, is marketed by its creators as an Android remote administration tool (RAT) and is being sold for $300."

The intro to our first video interview with Pwnie Express 'Founder and CEO and everything else' Dave Porcello back in 2012 started with this sentence: 'Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices.' They have more tools now, including some they've released since we mentioned them and their (then) new Pwn Pad back in March, 2013. Now they're working with Kali Linux, a distro built especially for penetration testing (and formerly known as BackTrack). In this video we have Tim Lord chatting with Dave Porcello about recent Pwnie Express happenings at RSA 2014. (If you don't see the video below, please use this link.)